Web 2.0 technologies form the basis of the next generation of web-based applications. They allow web applications to be developed that are more functionally rich and responsive than the typically static pages of traditional web technologies. They also enable content to be generated and shared in real time, with end-users commonly able to add content to applications themselves.

This means that Web 2.0 technologies promote open communications and give users the freedom to share ideas and opinions. Companies are using Web 2.0 technologies to communicate with customers, business partners and potential employees, allowing them to achieve the goal of true real-time collaboration among these parties. This can increase productivity and provides companies with a way to more easily promote their products. In particular, the creation of online communities and blogs or wikis to initiate conversations and share knowledge is proving to be particularly interesting to companies.

But new technologies often bring new security challenges—and Web 2.0 technologies are no exception. On the one hand, the underlying technologies used actually raise the risk of web-based attacks whilst, on the other, the way that users interact with Web 2.0 applications increases the risk that sensitive information will be misappropriated. This means that the security challenges of Web 2.0 applications are both technical and commercial in nature.

Technical aspects of Web 2.0 security

On the technical side, most Web 2.0 applications make use of a new programming language, AJAX, which is itself a bundle of programming tools such as JavaScript and XML. One of the problems with AJAX is the amount of processing logic that occurs on the browser client side, instead of at the server level. JavaScript code can be embedded in HTML pages and interpreted by the web browser. Whist this allows websites to appear more dynamic and interactive, it also means that more of the business logic is exposed to the user, such as access control and session management logic.

Attackers can make an adjustment to the programming code—for example, to get around access controls in order to allow them to masquerade as other users. Alternatively, they can insert malicious code into the application or disable request throttling to limit the number of network requests received and other safeguards to launch denial of service attacks.

Another feature of AJAX is that it incorporates a large number of smaller modules and a higher level of interaction between modules than traditional programming languages. This presents a challenge for programmers and raises the possibility of human errors being made in coding. The large number of small modules also makes AJAX more vulnerable to attack as it increases the overall attack surface, with each request for information and response representing a potential attack vector.

The Open Web Application Security Project, better known as OWASP, is an open worldwide community focused on improving application security. It keeps track of the top ten application security vulnerabilities—the majority of which affect Web 2.0 technologies.

In the 2007 list, cross-site scripting is seen as the most critical security vulnerability affecting websites today. Cross-site scripting attacks can occur when web pages are poorly coded—and, as already said, AJAX is prone to programming errors. This allows attackers to perform such exploits as hijacking user accounts, launch information-stealing phishing scams or to download malicious code onto users' computers.

AJAX is particularly vulnerable to this type of exploit as there is no way to validate inputs. This allows an attacker to input code in JavaScript, which then gets injected into the browser and causes the same problems as a buffer overflow, enabling the attacker to take control of the system.

The commercial aspects of Web 2.0 security

A key feature of Web 2.0 applications is that users are more readily able to upload content themselves—such as personal details to social networking sites, information for corporate blogs or contributions to wikis. This is having a big impact on corporate cultures, leading to a major shift in who defines what and how information flows in an organisation, as well as who the authoritative voices are.

At one end of the scale, employees can add uncensored content that can perhaps be damaging to a company's reputation or can post sensitive company information online for all to see. At the other end, users can lay themselves open to having their identities stolen by including too much personal information on social networking sites such as Facebook.

Sometimes they even expose company information on such sites, for instance by registering for a site using a corporate email address and other company details. These practices can leave companies and individuals open to social engineering exploits—and identity theft and phishing and pharming attacks—as well as harming reputations.

Users are able to add a great deal of information to Web 2.0 sites, including uploading files that can potentially be infected with malware such as worms and viruses. This may well be unintentional, such as the uploading of an unchecked file from a friend, or it may be done with malicious intent by a hacker owing to the ease of injecting code into AJAX programs.

The outlook

Web 2.0 technologies are fairly new and were initially expected to be next-generation technologies for consumer applications, but many companies are realising the value that they offer businesses as well and this is only likely to increase as time goes by. The security challenges that they bring to light will also increase exposure to risk.

Hackers are becoming increasingly sophisticated, looking to target their attacks at specific people and organisations and the security vulnerabilities of Web 2.0 tools provide them with rich hunting grounds. Already, cross-site scripting is the widest avenue for phishing attacks and a particular growth has been seen in such exploits in recent months, affecting companies that include Yahoo, Microsoft, eBay and Google.

The second most worrying type of attack is cross-site request forgeries, in which an attacker tricks a website into thinking it is sending and receiving data to and from a logged in user. The dangers of these attacks are only now coming to be understood but, whilst they are hard to pull off in a widespread attack, they are particularly useful for sophisticated attacks against a particular organisation. According to security researchers, cross-site request forgeries will be one of the most pressing concerns for Web 2.0 applications for the next ten years.

In terms of the social aspects, the outlook is perhaps brighter—so long as end-users wise up to the dangers of exposing personal information about themselves or the companies that they work for online. This is likely to be helped by the growing number of press reports that appear regarding data theft and loss, raising awareness of the issues, but companies must also play a part in educating their employees.